Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping secrets in your infrastructure pipeline

Rosemary Wang
December 09, 2020
Technology
1
150

Keeping secrets in your infrastructure pipeline

Presented at GitHub Universe, December 9, 2020.

You’ve set up your infrastructure as code in GitHub Actions to securely test and deploy to production. One year later, you discover the account keys you used for automation have been compromised! In a panic, you scramble around multiple repositories looking for where you used the account keys and throw together a script to rotate them. You start to wonder, “is there a better way I could have managed my secret?” In this talk, you’ll learn how to manage secrets in your infrastructure pipeline using HashiCorp Vault and Terraform with GitHub Actions. By using Vault’s dynamic secrets engines, you can rotate, audit, and manage the lifecycle of your infrastructure account keys and API tokens. In addition to managing service account keys for Terraform automation, we’ll cover how Vault can generate secrets such as database passwords for creating infrastructure resources.

Rosemary Wang

December 09, 2020
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
11
Can You Test Your Infrastructure as Code?
joatmon08
1
42
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
20
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
23
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
27
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
36
Building a Developer Platform? Ask these questions.
joatmon08
0
22
From Cloud-Hosted to Cloud-Native
joatmon08
0
49
Refactoring Applications for Dynamic Secrets
joatmon08
1
35

Other Decks in Technology

See All in Technology
OSTという文化を組織に根付かせてみた
sansantech
PRO
2
410
Kubernetesって何? -大規模なKubernetesを運用するKubernetes as a Serviceチームの話を添えて-
lycorptech_jp
PRO
0
250
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
46k
持続可能なソフトウェア開発を支える『GitHub CI/CD実践ガイド』
tmknom
8
1.4k
Oracle Autonomous Database:サービス概要のご紹介
oracle4engineer
PRO
1
7.1k
Road to Single Activity
yurihondo
2
240
グイグイ系QAマネージャーの仕事
sadonosake
0
350
2024年のナビゲーション・フォーカス対応:Composeでキーボード・ナビゲーションをサポートしよう
tahia910
0
110
watsonx.ai Dojo 環境準備について
oniak3ibm
PRO
0
350
Mocking in Rust Applications
taiki45
2
420
たった1人からはじめる【Agile Community of Practice】~ソース原理とFearless Changeを添えて~
ktc_corporate_it
1
500
忙しい人のためのLangGraph概要まとめ
__ymgc__
1
200

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Docker and Python
trallard
39
3k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Facilitating Awesome Meetings
lara
49
6k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
123
18k
A Modern Web Designer's Workflow
chriscoyier
692
190k
The Language of Interfaces
destraynor
153
23k
Music & Morning Musume
bryan
46
6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
23
1.7k
GraphQLの誤解/rethinking-graphql
sonatard
65
9.8k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
27
7.4k
Building Better People: How to give real-time feedback that sticks.
wjessup
359
19k

Transcript

  1. Copyright © 2020 HashiCorp Keeping Secrets in your Infrastructure Pipeline

    GitHub Universe | December 2020

  2. Infrastructure Pipeline Continuous Integration pipeline for infrastructure as code. @joatmon08

  3. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS

  4. These secrets are a year old… I think? @joatmon08

  5. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS I COMMITTED THE DATABASE PASSWORD TO GITHUB!

  6. Plan R 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace 6.Re-run @joatmon08

  7. Rosemary Wang (She/Her) Developer Advocate at HashiCorp joatmon08.github.io @JOATMON08 JOATMON08

    LINKEDIN.COM/IN/ ROSEMARYWANG

  8. Service Accounts Logs into infrastructure provider (e.g., service account keys

    or API tokens) Resource Attributes Passed to infrastructure resources (e.g., database passwords or certificates) Generated Secrets Created by infrastructure pipeline (e.g., random passwords or tokens)

  9. Service Accounts Logs into infrastructure provider (e.g., service account keys

    or API tokens) Resource Attributes Passed to infrastructure resources (e.g., database passwords or certificates)

  10. Use a Secrets Manager @joatmon08

  11. Plan R 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace 6.Re-run @joatmon08 Secrets

    Manager Pipelines You!

  12. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION

  13. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS GET SECRETS AT PATH AUTHENTICATE TO VAULT VAULT GITHUB ACTION SECRETS INJECTION

  14. @joatmon08 HCP (VAULT ON AWS) AMAZON WEB SERVICES AWS RDS

    (POSTGRESQL) Key Value Secrets Engine GITHUB AppRole Auth Method Database Secrets Engine GET READ-ONLY CREDENTIALS FOR APPLICATION Infrastructure Pipeline AWS Secrets Engine /PIPELINE /BOOTSTRAP /AWS /CREDS /PIPELINE TOKEN CREATE MANAGED DATABASE LOG INTO VAULT WITH PIPELINE ROLE AND SECRET AWS STS PEERED NETWORKS (PRIVATE)

  15. github.com/joatmon08/ infrastructure-pipeline @joatmon08

  16. References ▪ github.com/hashicorp/vault-action ▪ learn.hashicorp.com/tutorials/terraform/github-actions ▪ hashicorp.com/cloud-platform ▪ vaultproject.io/docs/secrets/aws ▪

    vaultproject.io/docs/secrets/kv ▪ vaultproject.io/docs/secrets/databases/postgresql ▪ hashicorp.com/resources/secure-gitops-workflows-with-github-actions- and-hashicorp-vault @joatmon08